What is a My Health Record security and access policy and why does my practice need one?

May 1, 2024

All healthcare providers in Australia have professional and legal obligations to protect their patients' sensitive health information. 

Practice owners and managers need to understand their obligations under the Privacy Act 1988 and should be striving to embed good privacy in their practice. 

In addition, healthcare organisations are required, by legislation, to have a written My Health Record security and access policy to register, and remain registered, with My Health Record regardless of the organisation’s size or how often they access the My Health Record system.

At a minimum, an organisation’s My Health Record security and access policy must address the following: 

  • how people are authorised to access the My Health Record system, and how access is deactivated or suspended when certain circumstances arise
  • the training that is provided to employees before they access the My Health Record system, including how to use the system accurately and responsibly, the legal obligations on healthcare provider organisations and individuals and the consequences of breaching those obligations
  • the process for identifying a person who requests access to a healthcare recipient’s My Health Record and communicating the person’s identity to the System Operator
  • the physical and information security measures taken by the healthcare provider organisation and people accessing the My Health Record system
  • mitigation strategies to promptly identify, act upon and report security risks
  • assisted registration information (if applicable)

Having a My Health Record security and access policy helps to ensure that the information held within My Health Record is used appropriately, kept secure and protected. 

Listen to the Australian Digital Health Agency’s new podcast to learn more about the key components of a My Health Record security and access policy.

You can also reach out to SEMPHN's Digital Health Team for support by emailing digitalhealth@semphn.org.au.

Latest news

July 2, 2025
The Department of Health, Disability and Ageing has extended the healthdirect Video Call COVID-19 GP Program and the healthdirect Video Call Exemplar Program to 30 June 2026.
July 2, 2025
A SEMPHN peer mentoring program is helping new practice managers gain the skills and confidence to run successful general practices and support the delivery of quality patient care – and more are needed.
July 1, 2025
New GP Chronic Conditions Management (GPCCM) MBS items are now in effect (from 1 July 2025).